Learn client IP addresses

Learning the actual client IP addresses is imperative for authorization. This function identifies the real client IP address when there is a NATing device between the FortiGate and the client.

config web-proxy global
    set learn-client-ip {enable | disable}
    set learn-client-ip-from-header {true-client-ip | x-real-ip | x-forwarded-for}
    set learn-client-ip-srcaddr <address> ... <address>
end

learn-client-ip {enable | disable}	Enable/disable learning the client's IP address from headers.
learn-client-ip-from-header {true-client-ip | x-real-ip | x-forwarded-for}	Learn client IP addresses from the specified headers.
learn-client-ip-srcaddr <address> ... <address>	The source address names.

Example

In this example, the real client IP address is used to match a policy for FSSO authentication.

To enable learning the client IP address:

config web-proxy global
    set proxy-fqdn "default.fqdn"
    set webproxy-profile "default"
    set learn-client-ip enable
	set learn-client-ip-from-header x-forwarded-for
    set learn-client-ip-srcaddr "all"
end

To configure the proxy policy:

config firewall proxy-policy
    edit 1
        set proxy explicit-web
        set dstintf "mgmt1"
        set srcaddr "all"
        set dstaddr "all"
        set service "w"
        set action accept
        set schedule "always"
        set groups "fsso1"
        set utm-status enable
        set av-profile "default"
        set dlp-profile "default"
        set profile-protocol-options "default"
        set ssl-ssh-profile "deep-inspection"
    next
end

To configure the authentication scheme and rule:

config authentication scheme
    edit "scheme1"
        set method fsso
    next
end

config authentication rule
    edit "rule1"
        set srcaddr "all"
        set sso-auth-method "scheme1"
    next
end